-
|
In a web application, I am using Azure AD (OpenId Connect protocol) to authenticate users. However for authorization, I would like to use ASP.NET Core Identity, to let the application admins manage users' access in the application level. I was expecting something similar has been done already but so far my searches didn't lead me to any example of this. So, my first question is if anyone can point me to an example or a related document? Second, in order to achieve this I think I need to add a step in Startup pipeline to add the user to cookie. Perhaps by creating a handler for OnTokenValidated event and add the user to the cookie, as it does by ASP.NET Identity, after a successful sign in. Am I on the right track here? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
I don't have a good sample to point to, but you can treat AAD just like any other external provider for Identity. Look at this Facebook example: |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the response Chris. I think I should have mentioned that I'm not looking for an additional authentication to ASP.NET Identity. The solutions I have seen so far are about giving the users an option to log in with their local account (managed by ASP.NET Identity) or with their external accounts (Google, Facebook, ...). What I'm trying to achieve is to only give users option to log in with AAD. However, to manage users' roles I don't want to be dependent to AAD. I want to to be able to give the power to administration of the application to manage the roles and assign them to users independent from AAD. That's why I was thinking to use ASP.NET Identity as a tool to handle authorization only. In old ASP.NET MVC applications I was able to achieve that with Microsoft Membership. Authentication was done by an external IdP and I could retrieve users' email address from the tokens received from the IdP. So as long as a user with the same email address was found in the Membership database the user was authorized to access the application based on his/her assigned roles in Membership. |
Beta Was this translation helpful? Give feedback.
-
|
I think the answer starts the same in that case, get AAD working as an external provider for Identity. From there it's just about removing pages and endpoints from Identity for password auth and streamlining the flow so the login endpoint defaults to AAD without the user having to select it. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you Chris. You helped me to get to my "aha moment" on Identity's integration with external providers. Reading these documents in past I didn't realize matching the returning claims with an Identity User is handles in the API. |
Beta Was this translation helpful? Give feedback.
I don't have a good sample to point to, but you can treat AAD just like any other external provider for Identity. Look at this Facebook example:
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/facebook-logins?view=aspnetcore-5.0#configure-facebook-authentication